Troubleshooting traffic shaping

Troubleshooting traffic shaping

This chapter outlines some troubleshooting tips and steps to diagnose the shapers and whether they are working correctly. These diagnose commands include:

  • diagnose system tos-based-priority
  • diagnose firewall shaper traffic-shaper
  • diagnose firewall per-ip-shaper
  • diagnose debug flow

 

Interface diagnosis

To optimize traffic shaping performance, first ensure that the network interface’s Ethernet statistics are clean of errors, collisions, or buffer overruns. To check the interface, enter the following diagnose command to see the traffic statistics:

diagnose hardware deviceinfo nic <port_name>

 

Shaper diagnose commands

There are specific diagnose commands you can use to verify the configuration and flow of traffic, including packet loss due to the employed shaper.

All of these diagnose troubleshooting commands are supported in both IPv4 and IPv6.

 

ToS command

Use the following command to list command to view information of the ToS lists and traffic.

diagnose system tos-based-priority

This example displays the priority value currently correlated with each possible ToS bit value. Priority values are displayed in order of their corresponding ToS bit values, which can range between 0 and 15, from lowest ToS bit value to highest.

For example, if you have not configured ToS-based priorities, the following appears…

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

…reflecting that all packets are currently using the same default priority, high (value 0).

If you have configured a ToS-based priority of low (value 2) for packets with a ToS bit value of 3, the following appears…

0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0

…reflecting that most packets are using the default priority value, except those with a ToS bit value of 3.

 

Shared shaper

To view information for the shared traffic shaper for security policies enter the command

diagnose firewall shaper traffic-shaper list

The resultant output displays the information on all available shapers. The more shapers available the longer the list. For example:

name Throughput

maximum-bandwidth 1200000 Kb/sec guaranteed-bandwidth 50000 Kb/sec current-bandwidth 0 B/sec

priority 1

packets dropped 0

Additional commands include:

diagnose firewall shaper traffic-shaper state – provides the total number of traffic shapers on the FortiGate unit.

diagnose firewall shaper traffic-shaper stats – provides summary statistics on the shapers.

Sample output looks like the following:

shapers 9 ipv4 0 ipv6 0 drops 0

 

PerIP shaper

To view information for the per-IP shaper for security policies enter the command

diagnose firewall shaper per-ip-shaper list

The resultant output displays the information on all available per-IP shapers. The more shapers available the longer the list. For example:

name accounting_group

maximum-bandwidth 200000 Kb/sec maximum-concurrent-session 55 packet dropped 0

 

Additional commands include:

diagnose firewall shaper per-ip-shaper state – provides the total number of per-ip shapers on the FortiGate unit.

diagnose firewall shaper per-ip-shaper stats – provides summary statistics on the shapers.

Sample output looks like the following:

memory allocated 3 packet dropped: 0

 

You can also clear the per-ip statistical data to begin a fresh diagnoses using:

diagnose firewall shaper per-ip-shaper clear

 

Packet loss with statistics on shapers

For each shaper there are counters that allow to verify if packets have been discarded. To view this information, in the CLI, enter the command diagnose firewall shaper. The results will look similar to the following output:

diagnose firewall shaper traffic-shaper list name limit_GB_25_MB_50_LQ

maximum-bandwidth 50 Kb/sec guaranteed-bandwidth 25 Kb/sec current-bandwidth 51 Kb/sec priority 3 dropped 1291985

The diagnose command output is different if the shapers are configured either per-policy or shared between policies.

 

For per-IP the output would be:

diagnose firewall shaper per-ip-shaper list

name accounting_group

maximum-bandwidth 200000 Kb/sec maximum-concurrent-session 55 packet dropped 3264220

 

Packet lost with the debug flow

When using the debug flow diagnostic command, there is a specific message information that a packet has exceed the shaper limits and therefor discarded:

 

diagnose debug flow show console enable diagnose debug flow filter addr 10.143.0.5 diagnose debug flow trace start 1000

id=20085 trace_id=11 msg=”vd-root received a packet(proto=17, 10.141.0.11:3735-

>10.143.0.5:5001) from port5.”

id=20085 trace_id=11 msg=”Find an existing session, id-0000eabc, original direction” id=20085 trace_id=11 msg=”exceeded shaper limit, drop”

 

Session list details with dual traffic shaper

When a Security Policy has a different traffic shaper for each direction, it is reflected in the session list output from the CLI:

diagnose system session list

session info: proto=6 proto_state=02 expire=115 timeout=3600 flags=00000000 sock flag=00000000 sockport=0 av_idx=0 use=4

origin-shaper=Limit_25Mbps prio=1 guarantee 25600/sec max 204800/sec traffic 48/sec reply-shaper=Limit_100Mbps prio=1 guarantee 102400/sec max 204800/sec traffic 0/sec ha_id=0 hakey=44020

policy_dir=0 tunnel=/

state=may_dirty rem os rs

statistic(bits/packets/allow_err): org=96/2/1 reply=0/0/0 tuples=2

orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=10.160.0.1/0.0.0.0 hook=pre dir=org act=dnat 192.168.171.243:2538->192.168.182.110:80(10.160.0.1:80) hook=post dir=reply act=snat 10.160.0.1:80->192.168.171.243:2538(192.168.182.110:80) pos/(before,after) 0/(0,0), 0/(0,0)

misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0 serial=00011e81 tos=ff/ff app=0 dd_type=0 dd_rule_id=0

 

Additional Information

  • Packets discarded by the shaper impact flow-control mechanisms like TCP. For more accurate testing results prefer UDP protocol.
  • Traffic shaping accuracy is optimum for security policies without a protection profile where no FortiGate content inspection is processed.
  • Do not oversubscribe an outbandwith throughput. For example, sum[guaranteed BW] < outbandwith. For accuracy in bandwidth calculation, it is required to set the “outbandwidth” parameter on the interfaces. For more information see Bandwidth guarantee, limit, and priority interactions on page 2468.
  • The FortiGate unit is not prioritizing traffic based on the DSCP marking configured in the security policy. However, ToS based prioritizing can be made at ingress. For more information see Traffic shaping methods on page 2476.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.